You'll re-compile the session id to check validity each time, right? You'd need 3 things: username, IP (granted), and login time(granted if stored for use as salt).
IP and a request-incremented value are good additions- salt to taste.

But if you only send the session ID, where is the username coming from?